From 35da9bbbf7a7ad732c3a3219a1b9fa12e9a7fd85 Mon Sep 17 00:00:00 2001
From: badra001 <donald.e.badrak.ii@census.gov>
Date: Wed, 25 Mar 2026 09:53:08 -0400
Subject: [PATCH] add baseline

---
 aws/documentation/baseline.md | 60 +++++++++++++++++++++++++++++++++++
 1 file changed, 60 insertions(+)
 create mode 100644 aws/documentation/baseline.md

diff --git a/aws/documentation/baseline.md b/aws/documentation/baseline.md
new file mode 100644
index 00000000..209e0707
--- /dev/null
+++ b/aws/documentation/baseline.md
@@ -0,0 +1,60 @@
+# AWS Account Baseline
+
+This is a very brief list of services and configurations put in place in every account as part of the
+account baseline (i.e., creation) process described [here](https://github.e.it.census.gov/terraform/cloud-information/tree/master/aws/documentation/account-setup).
+
+## Init
+
+* github repository created
+  * consistent configuration
+  * with account-specific teams
+* account-specific GPG key
+* git-secret initialization
+
+## Infrastructure
+
+* terraform state bucket and policies
+* organization cloudtrail (one, defined in the master account); no other cloudtrail permitted
+* config enabled to central config reporter
+* S3 Log bucket (for access logs, ALB logs, etc.)
+* S3 VPC flowlog bucket (mostly deprecated as we use shared VPCs now)
+* S3 Default settings
+* ECS Default settings
+* Preload KMS keys (used for automation)
+* Dynamic Route53 Lambda
+
+## Common
+
+* acccount settings
+* general use policies
+* creation of LDAP OU for SAML roles
+* SAML provider setup (old id-provider.tco.census.gov)
+* common enterprise/infrastructure roles
+* VPC flowlog roles
+
+## via Stack, StackSets
+
+These are done at the OU level so they are not put down by the baseline code, but from central accounts.
+
+* Roles, permissions and users for ent/inf apps
+  * Apptio role for FinOps
+  * Datadog for monitoring
+  * Terraform use
+  * ECR
+  * Ansible
+  * Cross-account management and administration
+* PowerScheduler
+* ServiceCatalog
+
+## Post Baseline code
+
+* RDS network groups
+* RDS parameter groups
+* shared VPC setup
+* shared VPCs
+* base security groups
+
+# CHANGELOG
+
+* 1.0.0 -- 2026-03-25
+  - initial